CN116996205A - Monitoring method, system, equipment and storage medium for preventing webpage from being tampered - Google Patents

Monitoring method, system, equipment and storage medium for preventing webpage from being tampered Download PDF

Info

Publication number
CN116996205A
CN116996205A CN202310953804.2A CN202310953804A CN116996205A CN 116996205 A CN116996205 A CN 116996205A CN 202310953804 A CN202310953804 A CN 202310953804A CN 116996205 A CN116996205 A CN 116996205A
Authority
CN
China
Prior art keywords
value
monitoring
information
page
values
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310953804.2A
Other languages
Chinese (zh)
Inventor
李常乐
田骏
胡小伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Zhongbang Bank Co Ltd
Original Assignee
Wuhan Zhongbang Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Zhongbang Bank Co Ltd filed Critical Wuhan Zhongbang Bank Co Ltd
Priority to CN202310953804.2A priority Critical patent/CN116996205A/en
Publication of CN116996205A publication Critical patent/CN116996205A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The invention provides a monitoring method, a system, equipment and a storage medium for preventing web page tampering, which relate to the technical field of information monitoring and have the technical key points that: the monitoring method comprises the following steps: s1, regularly acquiring access conditions of a webpage and html at the front end as information values, acquiring md5 through the information values of a website, comparing the acquired md5 values with original page md5 values, and sending a comparison result of the system abbreviation, the time consumption of a request, the address and the current md5 values and the md5 values to a log analysis system; s2, through a timing task, log indexes of preset time are scanned at fixed time, whether the current MD5 value is the same as the MD5 value of the original page or not is judged through comparison, if the current MD5 value is the same as the page with the same value, the page is normal, if the value is different, the page is tampered, monitoring alarm is immediately generated through a monitoring platform, and relevant operation and maintenance personnel are informed of timely solving the problem. According to the method, the real-time webpage MD5 value is obtained through the timing execution of the monitoring script, so that the risk of tampering of the website is avoided.

Description

Monitoring method, system, equipment and storage medium for preventing webpage from being tampered
Technical Field
The present invention relates to the field of information monitoring technologies, and in particular, to a monitoring method, system, device, and storage medium for preventing web page tampering.
Background
Along with popularization of internet banking technology, users have higher and higher dependence on functions of internet banking channels, and internet banking networks are equivalent to internet windows, so that network security is important. Today, online hackers are increasingly rampant, and the official networks are very vulnerable to hacking, so that modifying the content of the official networks will have a significant impact on the reputation of the banks. For network security and system business continuity, banks need to be able to perceive network anomalies at a first time in order to be able to make effective emergency treatments in time.
In order to solve the problems, a banking science and technology operation and maintenance team automatically develops a set of official webpage tamper-proof monitoring scheme, acquires the content of the official webpage at regular time, detects whether the content of the webpage is tampered in a mode of comparing MD5 values of the content of the official webpage, and simultaneously sends information to an internal log analysis system. The log analysis system scans the log-uploading state regularly, and once the MD5 value is found to be changed, an alarm is sent out through the monitoring platform at the first time to inform operation and maintenance personnel to carry out emergency treatment.
Disclosure of Invention
Aiming at the technical problems in the prior art, the invention provides a monitoring method, a system, equipment and a storage medium based on preventing web page tampering, which acquire real-time web page MD5 values through the timing execution of a monitoring script, avoid the risk of web site tampering, solve the security problem of some core web sites of banks and realize management and control.
According to a first aspect of the present invention, there is provided a monitoring method for preventing web page tampering, comprising the steps of:
s1, regularly acquiring access conditions of a webpage and html at the front end as information values, acquiring md5 through the information values of a website, comparing the acquired md5 values with original page md5 values, and sending a comparison result of the system abbreviation, the time consumption of a request, the address and the current md5 values and the md5 values to a log analysis system;
s2, through a timing task, log indexes of preset time are scanned at fixed time, whether the current MD5 value is the same as the MD5 value of the original page or not is judged through comparison, if the current MD5 value is the same as the page with the same value, the page is normal, if the value is different, the page is tampered, monitoring alarm is immediately generated through a monitoring platform, and relevant operation and maintenance personnel are informed of timely solving the problem.
On the basis of the technical scheme, the invention can also make the following improvements.
Optionally, the acquiring the access condition of the web page and html at the front end at fixed time as the information value, and acquiring the MD5 through the information value returned by the website includes:
step 1.1: outputting the system abbreviation and the website address to be called into a text file, separating the system abbreviation and the website address by using '|', opening the file in a script, and reading the file row by row to obtain information of the system abbreviation and the website;
step 1.2: requesting a website, judging whether to return a 200 state code, and acquiring returned front-end information and time-consuming request after returning the 200 state code;
step 1.3: and obtaining the md5 value returned by the website.
Optionally, comparing the obtained md5 value with the md5 value of the original page, comparing the system with the md5 value, the current md5 value and the md5 value, and sending the log analysis system, wherein the method comprises the following steps:
step 1.4: the md5 value, the system is abbreviated, and the request time is sent to an autonomously defined function method for uploading generated json information to the splenk platform;
step 1.5: after receiving the md5 value, the system is abbreviated as time-consuming, comparing the new md5 value with the md5 value of the original page, if the comparison result is consistent, setting the md5 script variable to be correct, otherwise, setting the system abbreviated as error, requesting time-consuming, sending an address, and adding the current md5 value and the md5 comparison result to the dictionary;
step 1.6: taking the dictionary output before as json parameters, and carrying key value pairs of data source types in json to sort the json variables customized in the script;
step 1.7: uploading json variable information customized in the script to the splenk data.
Optionally, in step 1.7, if the returned message is json type, if the status in the message is successful and the return code is 0, uploading the monitoring information to splenk is successful, otherwise uploading fails;
if the upload fails, an exception is thrown, allowing the program to proceed without causing a break.
Optionally, the step of scanning log indexes of a preset time at fixed time through a fixed time task, and comparing to judge whether the current MD5 value is the same as the MD5 value of the original page, if the current MD5 value is the same as the original page, the page is normal, if the current MD5 value is different from the original MD5 value, the page is tampered, and immediately generating a monitoring alarm through a monitoring platform, and notifying relevant operation and maintenance personnel of timely solving the problems includes:
step 2.1: configuring a timing task in a monitoring platform;
step 2.2: obtaining a splenk connection object;
step 2.3: assembling log information indexed by the query splenk platform, extracting a state field, wherein the query condition is that the md5 script is equal to an error, and automatically counting;
step 2.4: invoking a search method by using a splenk connection object, and introducing SPL sentences into the method to obtain a query record set;
step 2.5: polling the search result of the record set to obtain the total log number of the Md5 script=wrong dial test transaction number;
step 2.6: and if the total number of the logs is greater than 0, sending alarm information to operation and maintenance personnel for emergency treatment.
Optionally, the comparing to determine whether the current MD5 value is the same as the MD5 value of the original page, if the current MD5 value is the same as the MD5 value of the original page, the page is normal, if the current MD5 value is different from the MD5 value, the page is tampered, and immediately generating a monitoring alarm through the monitoring platform further comprises:
3.1. the state code returned by the request website and the generated MD5 value are arranged into a json format text, and a key value of whether the webpage is tampered is added;
3.2. the generated json is sent to the splank, json information is searched through the index, if the index is common with other log information, search condition sentences are required to be added, and the appointed system name is searched;
3.3. adding a scheduling task in a monitoring platform, writing information of a python3 script calling splenk, inquiring monitoring information by using a splenk inquiring log information statement, judging whether a key value is tampered in json information, if so, ensuring that the webpage is normal, if not, falsifying the webpage, and sending an alarm to the monitoring platform by a system and notifying relevant operation and maintenance to process.
Optionally, the access condition of the acquired webpage and the html of the front end are called by using a request interface in python; the monitoring alarm uses the splenk technology, and the queried data is converted and output into character string information for monitoring through the logic statement and formatting of python, so that the effect of monitoring alarm is achieved.
According to a second aspect of the present invention, there is provided a monitoring system for preventing web pages from being tampered with, comprising:
the dial testing calling module is used for acquiring the access condition of the webpage and html at the front end at fixed time as information values, acquiring md5 through the information values of the website, comparing the acquired md5 values with the original page md5 values, comparing the system with short names, time consumption of requests, sending addresses, the current md5 values and the current md5 values, and uploading the comparison results to the log analysis system;
the log monitoring module is used for scanning log indexes of preset time at fixed time through a fixed time task, judging whether the current MD5 value is the same as the MD5 value of the original page or not through comparison, if the current MD5 value is the same as the page, the page is normal, if the current MD5 value is different from the MD5 value, the page is tampered, and immediately monitoring and alarming are carried out through a monitoring platform, and relevant operation and maintenance personnel are informed of timely solving the problem.
According to a third aspect of the present invention, there is provided an electronic device comprising a memory, a processor for implementing the steps of a monitoring method for preventing web page tampering as described above when executing a computer program stored in the memory.
According to a fourth aspect of the present invention, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of a method of monitoring against tampering with a web page as described above.
The invention has the technical effects and advantages that:
the invention provides a monitoring method, a system, equipment and a storage medium based on preventing web page tampering, which are used for acquiring a real-time web page MD5 value through the timing execution of a monitoring script so as to avoid the risk of web site tampering. The method aims at acquiring access conditions of the webpage and html at the front end at fixed time, acquiring MD5 through content returned by the website, comparing the MD5 with an initial MD5 value of the webpage, judging whether the webpage is tampered, solving the security problem of some core websites of banks and realizing management and control. The method needs to write an automatic tool request webpage, acquire a returned html page, and add a timing task to acquire monitoring information at fixed time. The main scheme includes that a webpage address designated by a python request is generated by returned monitoring information, a json format is output, an index is newly built in splenk, corresponding token information is obtained, json data produced by a monitoring script are uploaded to splenk at regular time, the monitoring information can be directly obtained on the splenk later, finally, a timing task is configured in a monitoring platform, whether the MD5 value of a webpage is the same or not is judged when the monitoring information requests, monitoring alarms appear if the MD5 values are different, and relevant operation and maintenance personnel are informed of timely solving the problems.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
FIG. 1 is a flowchart of a monitoring method for preventing web page tampering according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a script method and a technical layer for monitoring whether a website is tampered according to an embodiment of the present invention;
fig. 3 is a schematic diagram of script syntax and a technical layer for monitoring whether a web page is tampered according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that html is used to construct a web page, display front-end information of a page architecture, and use the front-end information together with CSS and JavaScript technologies to implement web page effects and interactive functions. The front-end file is used for acquiring a request page in the chapter;
MD5 is a hash algorithm, and is obtained by commanding MD5sum { html file } in the present monitoring scheme, so as to determine whether the web page is tampered, and whether the MD5 value of the html file obtained by comparing the request is the same as the original MD5 value.
In this embodiment, the splenk grammar is interpreted as:
index, the Index defining the search followed by the string of the Index;
search, search statement, similar to the sphere condition query in sql statement;
spath, extracting fields from xml or json format data.
Stats, perform statistical operations like group packet queries in sql statements.
Count: commonly used with stats, stats count is used to count the number of matching events.
"sum", "avg", "min", "max", etc.: an aggregation operation of the numeric field is performed.
Sort: the results are ordered in either ascending or descending order of the fields.
It can be appreciated that, based on the defects in the background art, according to a first aspect of the present invention, an embodiment of the present invention proposes a monitoring method based on preventing a web page from being tampered, specifically as shown in fig. 1, the monitoring method includes the following steps:
step 1, regularly acquiring access conditions of a webpage and html at the front end as information values, acquiring md5 through the information values of a website, comparing the acquired md5 values with original page md5 values, comparing the system with the current md5 values and the current md5 values in time when the system is short, the request is time-consuming, and sending addresses to the log analysis system;
in this embodiment, the monitoring method according to the embodiment of the present invention includes a dial test call and a log monitoring process;
the method comprises the steps of acquiring access conditions of a webpage and html at the front end at fixed time as information values, acquiring md5 through the information values of a website, comparing the md5 values with original page md5 values, finally shortening the system, consuming time of a request, sending an address and the current md5 values, comparing the md5 values, and uploading a log analysis system, wherein the method comprises the following steps:
step 1.1: outputting the system abbreviation and the website address to be called into a txt file, separating the txt file by using '|', opening the file in a script by using an open method, reading the txt file line by using a readlines method, and acquiring information of the system abbreviation and the website url by using a split method;
it should be noted that, open belongs to the grammar of the os file management module, and is used for reading or modifying the file, and the grammar is: open ('file', 'r') or with open ('file', 'r') as file. The proposal is mainly used for opening txt file acquisition system to check and requesting url;
reading lines are commonly used with open grammar, after a file is opened through the open, reading the file line by using the grammar of the file.reading lines, and returning a value as a list;
split is a function of string splitting in python, and is used in this proposal to split the system abbreviations and request url in txt files, and returns in list form.
Step 1.2: the requests module is used for requesting url of a website through GET, judging whether to return a state code of 200, and acquiring returned context front-end information and time consumption of request after returning 200;
the request module is a module for sending an http request by a third party in python, and is used for capturing front-end html information in a request page in the monitoring script;
the GET is the request type when the requests request pages, the request type is GET, POST, PUT, DELETE, the request for normally acquiring the front-end pages is GET and POST, the rear end is modified, the new operation is PUT, and the request for deleting the rear-end information is DELETE;
the Context is a method for requesting url to return front-end html information by the requests, and the front-end information is acquired by a response.context () writing method in the monitoring script.
Step 1.3: calling a module hexadigest method of from hashlib import md to acquire an md5 value of context returned by the website;
it should be noted that, the module from hashlib import MD is a module for obtaining the MD5 value from python, and the MD5 value is a hash function, so that the hashlib library needs to be called;
the hexdigest method is a function of encrypting MD5 in hashlib, and after MD5 objects are created by hashlib, the final MD5 value needs to be obtained by encrypting by the hexdigest method.
Step 1.4: the md5 value, the system is abbreviated, and the sendSplunk sub-method is requested to be sent in a time-consuming mode;
the sendsplenk sub-method is an autonomously defined function method, and is used for uploading generated json information to the splenk platform.
Step 1.5: the sendSplunk sub-method receives the md5 value, the system is abbreviated, after requesting for consuming time, comparing the new md5 value with the original page md5 value, if the comparison result is consistent, the md5_status is set as true, otherwise, the system is abbreviated, the time is required, the address is sent, the current md5 value, and the md5 comparison result md5_status is added into the direction;
it should be noted that, md5_status is a variable defined by itself in the script, and is used to display whether the web page is tampered, where the value is success and is tampered as fail;
dict is a dictionary-type variable in python.
Step 1.6: taking the previously output direct as a json parameter, and carrying a key value pair of 'sourcetype' in json, namely 'manual', and finishing the key value pair into jsonData;
it should be noted that "sourcetype" is represented as a source type of data, and a key in json format is generated in the script, and the writing method is fixed;
jsonData is a json variable custom in this script, and is used to upload data to splank.
Step 1.7: the splenk address is requested by the POST mode of the request module to upload jsonData information to the splenk.
It should be noted that, in this embodiment, the POST is the same as the GET, belongs to an http type request, and is more suitable for submitting data and submitting a form, and the request is used for submitting json data to the splenk platform.
In summary, the main technical layer of the embodiment of the present invention uses the requests interface call in python, and the effects are as follows:
overall, the function of the time is requested to be verified, the front-end text is acquired, the document md5 value can be correctly acquired, the document md5 value is compared with the original page md5 value, and related information is timely sent to the splun log analysis system.
Further, the acquiring the access condition of the web page and html of the front end at fixed time as the information value, and acquiring the MD5 through the information value returned by the website specifically includes:
and calling url of the website and successfully requesting, and acquiring a front page of the appointed context through a requests module.
Furthermore, the script method and the technical layer for monitoring whether the website is tampered are as shown in fig. 2, and include the following steps:
step 1.1.1: printing a log for the script, outputting a printing date, a log level, log information and print through a logging module, and completely replacing the log, the log level, the log information and the print with logging, info, logging, error and logging, logging;
the log output format is defined by the logging module in python through logging, basicconfig, logging, info (), logging, error (), logging () prints logs of specified level.
Step 1.1.2: and outputting the sys_name and the website address to be called into a txt file, separating the txt file by using '|', opening the file by using an open method in a script, and returning split character strings to a list by split to obtain the information of the sys_name and the website url. If other addresses exist in the follow-up sequence, the follow-up sequence can also be directly added into the txt file;
step 1.1.3: the requests module is used for requesting url of a website through GET, judging whether to return a state code of 200, and acquiring returned context front-end information after returning 200;
step 1.1.4: calling a from hashlib import MD module to acquire an MD5 value of context returned by the website;
step 1.1.5: the returned value is needed to be tidied into the text information in json format, whether the page is tampered is judged by comparing if with the correct md5 value, if not tampered, a direct is output, and the corresponding key is: msg: SUCCESS, code:000000. if MD5 is inconsistent, the output is: msg: FAIL, code:999999. meanwhile, adding the current date and time, sys_name, a sending address and a current MD5 value into the fact;
step 1.1.6: acquiring a token of an index in the splank, and calling the splank as a header in a requests request;
step 1.1.7: calling the address of the splenk, taking the previously output direct as a json parameter, and carrying a key value pair of 'sourcetype' in json;
step 1.1.8: requesting the splunk address to upload json information to the splunk in a POST mode, and finally acquiring returned message information. The returned message is json type, if the state in the message is success and the return code is 0, the uploading of the monitoring information to splenk is successful, otherwise, the uploading fails;
step 1.1.9: if the upload fails, an exception is thrown using a try @, exept @, find, to allow the program to proceed without causing a break.
It is to be noted that json is a structured data, and is composed of key value pairs, and in this project, the output state, return code, date and other data are converted into key value format and output to the splun platform; try, exept, finall judges a statement in python, if errors are reported, an exception is thrown, the try is followed by grammar to be judged, the exception is connected with an exception type, if the exception occurs, operations such as printing exception information or suspending a program are printed, and the finall is connected with output information or other operations except the exception.
The main technical layer of the embodiment of the invention uses the requests interface call in python, and the effect is as follows:
the requests library has a compact and easy-to-use API. Using the requests library to send HTTP requests requires only a few lines of code without concern for the details of the underlying layers. It provides a series of methods, such as GET, POST, PUT, DELETE, etc., that can easily send different types of requests.
Multiple authentication modes are supported. The method can process various authentication modes such as basic HTTP authentication, abstract authentication, OAuth and the like, so that interaction with an API (application program interface) needing authentication is simplified.
In addition, the requests library has a strong response processing function. The method can automatically analyze the content of the response and return corresponding objects such as texts, JSONs, pictures and the like according to the type of the response. In addition, it supports streaming response content, and large-scale responses can be effectively processed.
Overall, the function of this time is requested to be verified, the front-end text is acquired, the MD5 value of the file can be correctly acquired, and the comparison effect is timely achieved.
And 2, regularly scanning log indexes of preset time through a timing task, comparing to judge whether the current MD5 value is the same as the MD5 value of the original page, if the current MD5 value is the same as the page, the page is normal, if the current MD5 value is different from the MD5 value, the page is tampered, and immediately giving a monitoring alarm through a monitoring platform, and informing relevant operation and maintenance personnel of timely solving the problem.
The method comprises the steps of scanning log indexes of preset time at fixed time through a fixed time task, comparing and judging whether the current MD5 value is the same as the MD5 value of an original page, if the current MD5 value is the same as the MD5 value of the original page, the page is normal, if the current MD5 value is different from the MD5 value, falsifying the page, immediately generating a monitoring alarm through a monitoring platform, and informing relevant operation and maintenance personnel of timely solving the problems, wherein the steps comprise the following steps:
step 2.1: configuring a timing task in a monitoring platform; in this embodiment, the timing task is set to start every 5 minutes;
step 2.2: calling a method splunktool.splunktool () to obtain a splunk connection object;
it should be noted that, splunktool () is represented as an interface for calling splunk platform log information, and queries out specified log information through spl statements.
Step 2.3: assembling a query sentence "search index=srv_chk|space status|search md5_status=fail| stats count by send _adr, sysname" using SPL language;
it should be noted that, search index=srv_chk|space status|search md5_status=fail| stats count by send _adr, sysname "is represented as a query to the log information of the splank platform index srv_chk, the status field is extracted, the query condition is md5_status equal to fail, and statistics are automatically performed according to the send_adr and the sysname.
Step 2.4: using a splank connection object to call a search method, wherein SPL sentences are transmitted into the method to acquire a query record set, and search_result=splanktool_ search (SPL sentences, starting time and ending time);
it should be noted that, search_result=splunktool_.search represents that after one object is defined by using splunktool, the search result of the spl sentence is obtained by the search method.
Step 2.5: polling the record set search_result to obtain the number of measurement transactions total of md5_stuas=false;
note that total is expressed as the total number of logs of the index specified in splun.
Step 2.6: if the total num is larger than 0, sending alarm information to operation and maintenance personnel for emergency treatment.
In summary, the monitoring method according to the embodiment of the invention gets rid of the traditional manual monitoring, and the personnel is not required to watch the monitoring error information on the monitoring platform or the server for 24 hours, and only the task which is executed at regular time is required to be automatically monitored through the setting of the monitoring script. Timely responding to an alarm: if the monitoring script triggers an alarm, measures are timely taken to conduct investigation and repair. The quick response minimizes losses and restores the integrity of the web page.
In this embodiment, the MD5 value of the front-end html file is obtained, and compared with the MD5 value of the original front-end page, if the values are the same, the page is normal, and if the values are different, the page is tampered, and the method specifically further includes the following steps:
the requests request url returns a status code and the generated MD5 value to be tidied into a json format text, and a key of whether the webpage is tampered is added;
it should be noted that, the key value is expressed as a representation mode of a key value pair, which is often applied to a dictionary type data structure, and the present project is mainly used for producing json data.
3.2. The generated json is sent to the splank, json information can be found through index srv_chk, if the index is common with other log information, search conditional statements need to be added, and designated sys_name is found;
it should be noted that index srv_chk is denoted as a splenk to query the index of the current monitoring log.
3.3. Adding a scheduling task in a monitoring platform, writing information of a python3 script calling splenk, inquiring monitoring information by using a spl statement, judging whether a key value is tampered in json information, if yes, the webpage is normal, if yes, the webpage is tampered, and the system sends an alarm to the monitoring platform and notifies relevant operation and maintenance to process.
It should be noted that spl is the syntax of splenk query log information, similar to the query of database sql statement.
In this embodiment, the script syntax for monitoring whether the web page is tampered with, as shown in fig. 3, includes the following steps:
step 3.2.1: the text information read-write operation, with open ('file path', r) as f, can traverse the file object row by row through a for loop, and because each row is of a character string type, the text information is required to be divided into a list through a split method str ('|') and sys_name and url are acquired;
step 3.2.2: the split url is requested using the requests, the syntax is as follows: r=requests.get ("url", timeout= (3, 7), stream=true), judging whether the return code r.status.code is 200, obtaining the front end information r.context ();
step 3.2.3: acquiring the MD5 value of the front end, and importing a module MD5 (r.content). Hexadigest ();
step 3.2.4: importing the returned data to the splank, requesting the address of the splank: requests. Post (url, json=jsondata, headers=headers, verify=false, timeout= (3, 7)), where headers need to write the token of index. If the code of the request result is 0, the uploading of the splenk is successful;
step 3.2.5: splenk query statement: index=srv_chk|space status|search md5_status=fail| stats count by send _adr, sysname;
step 3.2.6: obtaining splank information, and importing splanktool, splanktool_ search (spl sentence, start time and end time);
step 3.2.7: sending alarm information to a service desk and a monitoring platform, and importing a sendessage and send_ fta module, wherein the sendessage is send (), and the send_fta is send ();
step 3.2.8: the timing tasks of the monitoring script are set to be executed once every 5 minutes, and the time of the monitoring script represents minutes, hours, days, months and weeks respectively.
In summary, the monitoring method according to the embodiment of the invention gets rid of the traditional manual monitoring, and the personnel is not required to watch the monitoring error information on the monitoring platform or the server for 24 hours, and only the task which is executed at regular time is required to be automatically monitored through the setting of the monitoring script.
Timely responding to an alarm: if the monitoring script triggers an alarm, measures are timely taken to conduct investigation and repair. The quick response minimizes losses and restores the integrity of the web page.
In addition, the method for acquiring the monitoring information in the splenk further comprises the following steps:
step 2.3.1: the information collection of the splenk can be obtained through spl sentences: index=srv_chk|space status|search md5_status=fail| stats count by send _adr, sysname, and group and count query data stats count by send _adr, sysname;
step 2.3.2: the monitoring script can be set to be executed once every 5 minutes, and the splenk acquires the monitoring information of json once every 5 minutes;
step three: the monitor platform was written to schedule tasks, the task scheduling time was set to execute every 5 minutes, the run mode was written using the python3 script,
step 2.3.4: the splunk statement is executed by importing splunk tool into the scheduling script, the execution result of spl is obtained by a splunk tool_ search method, a list composed of a plurality of json is finally returned, and each json information can be obtained by a for-loop mode.
Step 2.3.5: because the json format and the subject dictionary type are consistent, each key value can be acquired in the manner json [ 'key' ] =value.
Step 2.3.6: all data in json is spliced again through the character strings.
Step 2.3.7: judging whether monitoring information of status as fail exists within 5 minutes. And if the message is present, pushing the spliced message to the service desk as alarm information, wherein the alarm pushing is used for pushing to the service desk and pushing to the blue whale platform.
In this embodiment, the splenk technique is used in the subsequent diary monitoring process, and has the following effects:
real-time data analysis: splunk can collect and process a large amount of real-time data in real-time, including logs, metrics, events, etc. The method can rapidly index and search data, display analysis results in a visual mode, and help users to monitor and analyze the running condition of the system in real time;
powerful search function: splunk has powerful search and query functions (index) that search and filter data in a variety of ways, such as keywords, fields, filters, etc. The method supports complex query language and regular expression (rex), and can help users to quickly locate and solve problems;
data visualization and reporting: splunk can visually display the data in the form of charts, reports and the like, and helps users to understand the data more intuitively. The user can monitor key indexes and trends through the custom dashboards and reports, so that the service operation condition can be better known;
security and compliance: splunk provides a variety of security functions including data encryption, access control, audit logs, etc., which can help enterprises ensure the security and compliance of data. It also supports monitoring and detecting abnormal activity and provides real-time alerts and reports to help users discover and deal with security threats in time.
The function of inquiring and counting data is used in the function of this time, and the inquired data is output into character string information for monitoring through the logic statement and formatting conversion of python. The effect of monitoring and alarming is achieved.
According to a second aspect of the present invention, a monitoring system for preventing web page tampering provided by an embodiment of the present invention includes:
the dial testing calling module is used for acquiring the access condition of the webpage and html at the front end at fixed time as information values, acquiring md5 through the information values of the website, comparing the acquired md5 values with the original page md5 values, comparing the system with short names, time consumption of requests, sending addresses, the current md5 values and the current md5 values, and uploading the comparison results to the log analysis system;
the log monitoring module is used for scanning log indexes of preset time at fixed time through a fixed time task, judging whether the current MD5 value is the same as the MD5 value of the original page through comparison, and immediately giving a monitoring alarm through a monitoring platform if the MD5 value is different, and informing relevant operation and maintenance personnel of timely solving the problem.
It can be understood that the monitoring system for preventing web page tampering provided by the present invention corresponds to the monitoring method for preventing web page tampering provided by the foregoing embodiment, and the relevant technical features of the monitoring system for preventing web page tampering may refer to the relevant technical features of the monitoring method for preventing web page tampering, which are not described herein.
According to a third aspect of the present invention, an embodiment of the present invention provides an electronic device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the steps of the above-mentioned monitoring method for preventing web page tampering when executing the computer program.
According to a fourth aspect of the present invention, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of a method of monitoring against tampering with a web page as described above.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Finally, it should be noted that: the foregoing description is only illustrative of the preferred embodiments of the present invention, and although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments described, or equivalents may be substituted for elements thereof, and any modifications, equivalents, improvements or changes may be made without departing from the spirit and principles of the present invention.

Claims (10)

1. A monitoring method for preventing web page tampering, the monitoring method comprising the steps of:
s1, regularly acquiring access conditions of a webpage and html at the front end as information values, acquiring md5 through the information values of a website, comparing the acquired md5 values with original page md5 values, and sending a comparison result of the system abbreviation, the time consumption of a request, the address and the current md5 values and the md5 values to a log analysis system;
s2, through a timing task, log indexes of preset time are scanned at fixed time, whether the current MD5 value is the same as the MD5 value of the original page or not is judged through comparison, if the current MD5 value is the same as the page with the same value, the page is normal, if the value is different, the page is tampered, monitoring alarm is immediately generated through a monitoring platform, and relevant operation and maintenance personnel are informed of timely solving the problem.
2. The method for monitoring and controlling web page tamper according to claim 1, wherein the step of periodically obtaining the access condition of the web page and html of the front end as the information value, and obtaining the MD5 through the information value returned by the web site comprises:
step 1.1: outputting the system abbreviation and the website address to be called into a text file, separating the system abbreviation and the website address by using '|', opening the file in a script, and reading the file row by row to obtain information of the system abbreviation and the website;
step 1.2: requesting a website, judging whether the website is a returned 200 state code, and acquiring returned front-end information and time-consuming request after the website is the returned 200 state code;
step 1.3: and obtaining the md5 value returned by the website.
3. The method for monitoring and preventing web page tampering according to claim 2, wherein comparing the obtained md5 value with the md5 value of the original page, comparing the system with the md5 value and the md5 value at present, and sending the log analysis system comprises the following steps:
step 1.4: the md5 value, the system is abbreviated, and the request time is sent to an autonomously defined function method for uploading generated json information to the splenk platform;
step 1.5: after receiving the md5 value, the system is abbreviated as time-consuming, comparing the new md5 value with the md5 value of the original page, if the comparison result is consistent, setting the md5 script variable to be correct, otherwise, setting the system abbreviated as error, requesting time-consuming, sending an address, and adding the current md5 value and the md5 comparison result to the dictionary;
step 1.6: taking the dictionary output before as json parameters, and carrying key value pairs of data source types in json to sort the json variables customized in the script;
step 1.7: uploading json variable information customized in the script to the splenk data.
4. A method of monitoring a web page against tampering as defined in claim 3, wherein in step 1.7, if the returned message is json type, if the status in the message is successful and the return code is 0, uploading the monitoring information to splenk is successful, otherwise uploading fails;
if the upload fails, an exception is thrown, allowing the program to proceed without causing a break.
5. The method for monitoring and preventing web page tampering according to claim 1, wherein the step of regularly scanning log indexes of a preset time through a timing task, comparing to determine whether the current MD5 value is the same as the MD5 value of the original page, if the current MD5 value is the same as the MD5 value of the original page, the page is tampered if the current MD5 value is different, immediately generating a monitoring alarm through a monitoring platform, and notifying relevant operation staff of timely solving the problem comprises:
step 2.1: configuring a timing task in a monitoring platform;
step 2.2: obtaining a splenk connection object;
step 2.3: assembling log information indexed by the query splenk platform, extracting a state field, wherein the query condition is that the md5 script is equal to an error, and automatically counting;
step 2.4: invoking a search method by using a splenk connection object to acquire a query record set;
step 2.5: polling the search result of the record set to obtain the total log number of the Md5 script=wrong dial test transaction number;
step 2.6: and if the total number of the logs is greater than 0, sending alarm information to operation and maintenance personnel for emergency treatment.
6. The method for monitoring and preventing web page tampering according to claim 1, wherein the comparing to determine whether the MD5 value is the same as the MD5 value of the original page, if the MD5 value is the same as the MD5 value of the original page, the MD5 value is normal, if the MD5 value is different, the MD5 value is tampered, and immediately generating a monitoring alarm through the monitoring platform further comprises:
3.1. the state code returned by the request website and the generated MD5 value are arranged into a json format text, and a key value of whether the webpage is tampered is added;
3.2. the generated json is sent to the splank, json information is searched through the index, if the index is common with other log information, search condition sentences are required to be added, and the appointed system name is searched;
3.3. adding a scheduling task in a monitoring platform, writing information of a python script calling splenk, inquiring monitoring information by using a splenk inquiring log information statement, judging whether a key value is tampered in json information, if so, ensuring that the webpage is normal, if not, falsifying the webpage, and sending an alarm to the monitoring platform by a system and notifying relevant operation and maintenance to process.
7. The method for monitoring and preventing web page tampering according to claim 1, wherein the access condition of the acquired web page and html of the front end are invoked by using a request interface in python; the monitoring alarm occurs through the monitoring platform and uses the splenk technology, the queried data is converted and output into character string information for monitoring through the logic statement and formatting of python, and the effect of monitoring alarm is achieved.
8. A monitoring system for preventing tampering with a web page, comprising:
the dial testing calling module is used for acquiring the access condition of the webpage and html at the front end at fixed time as information values, acquiring md5 through the information values of the website, comparing the acquired md5 values with the original page md5 values, comparing the system with short names, time consumption of requests, sending addresses, the current md5 values and the current md5 values, and uploading the comparison results to the log analysis system;
the log monitoring module is used for scanning log indexes of preset time at fixed time through a fixed time task, judging whether the current MD5 value is the same as the MD5 value of the original page or not through comparison, if the current MD5 value is the same as the page, the page is normal, if the current MD5 value is different from the MD5 value, the page is tampered, and immediately monitoring and alarming are carried out through a monitoring platform, and relevant operation and maintenance personnel are informed of timely solving the problem.
9. An electronic device comprising a memory, a processor for implementing the steps of a method of monitoring web pages against tampering as claimed in any one of claims 1-7 when executing a computer program stored in the memory.
10. A computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the steps of a method of monitoring against tampering with a web page as claimed in any one of claims 1-7.
CN202310953804.2A 2023-07-31 2023-07-31 Monitoring method, system, equipment and storage medium for preventing webpage from being tampered Pending CN116996205A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310953804.2A CN116996205A (en) 2023-07-31 2023-07-31 Monitoring method, system, equipment and storage medium for preventing webpage from being tampered

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310953804.2A CN116996205A (en) 2023-07-31 2023-07-31 Monitoring method, system, equipment and storage medium for preventing webpage from being tampered

Publications (1)

Publication Number Publication Date
CN116996205A true CN116996205A (en) 2023-11-03

Family

ID=88533323

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310953804.2A Pending CN116996205A (en) 2023-07-31 2023-07-31 Monitoring method, system, equipment and storage medium for preventing webpage from being tampered

Country Status (1)

Country Link
CN (1) CN116996205A (en)

Similar Documents

Publication Publication Date Title
US11188619B2 (en) Single click delta analysis
US10467316B2 (en) Systems and methods for web analytics testing and web development
CN110855676B (en) Network attack processing method and device and storage medium
US9262519B1 (en) Log data analysis
US20140082482A1 (en) Rule-based validation of websites
US10885185B2 (en) Graph model for alert interpretation in enterprise security system
WO2015039046A1 (en) Data flow exploration
CN108628748B (en) Automatic test management method and automatic test management system
US20120290544A1 (en) Data compliance management
US11362912B2 (en) Support ticket platform for improving network infrastructures
CN111064725A (en) Code zero intrusion interface verification method and device
US11297091B2 (en) HTTP log integration to web application testing
CN109359251A (en) Audit method for early warning, device and the terminal device of application system service condition
Qu Research on password detection technology of iot equipment based on wide area network
Li et al. Logspy: System log anomaly detection for distributed systems
CN116248393A (en) Intranet data transmission loophole scanning device and system
CN116996205A (en) Monitoring method, system, equipment and storage medium for preventing webpage from being tampered
CN115168297A (en) Bypassing log auditing method and device
CN111353116A (en) Content detection method, system and device, client device and storage medium
CN116756113A (en) Log recording method and device, electronic equipment and storage medium
CN117539739A (en) User continuous behavior anomaly monitoring method based on double features
CN116028451A (en) Log analysis method and related equipment
CN117520027A (en) Result output method and system for root cause analysis based on observation cloud
CN117472684A (en) Fault processing method, device, terminal equipment and storage medium
CN117951149A (en) Data structure change notification method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination